Security log management push has its roots in compliance

Enterprise interest in security
log management is heating up as compliance requirements push organisations to get a grip on
their log data.

Auditors are prodding companies to think about centralised log management in order to ensure
control over scattered data, said Trent Henry, senior analyst at Burton Group: "So we have one
place that can keep the information and have proper IT controls over the data to make sure it's not
tampered with or lost or accessed by people who shouldn't, and that those policies are
enforced."

No one compliance requirement
is driving interest in log management, Henry said. A couple years ago, SOX was the top concern
since it spurred most new audit efforts but now log data is important for demonstrating an
organisation's controls for a variety of regulations, he added.

But Dave Shackleford, vice president at the nonprofit Center for Internet Security and a SANS
instructor, said the PCI Data Security Standard in particular is helping to make log management a
hot topic in the enterprise.

Companies are figuring out that "they already have a lot of the information that they need to
get a good bit of the way towards [PCI] compliance, they just don't have the tools to take that
information and do anything with it," he said.

Log management tools can help organisations drill down and look for specific data strings such
as full track data from credit cards; PCI prohibits storage of such information, so companies can
then take corrective action.

The log management market includes tools from LogLogic, LogRhythm, Splunk, syslog-focused
products such as Kiwi Enterprises' Syslog Daemon and freeware like Unix's syslog daemon. Also, security information
management (SIM) vendors have begun tailoring their product lines to meet the demand for log
management by offering options that focus on providing more storage capacity than correlation
capability.

At the Burton Group Catalyst Conference, Jay Leek -- manager of
corporate IT security services at Nokia -- plans to talk about practical considerations for log
management and how a centralised system can improve compliance, incident response and
troubleshooting while also saving time and money.

"Whether people want to acknowledge it or not, we're generating a significant amount of log data
in any enterprise environment and there's a lot of cost associated with generation, collection and
storage of log data," Leek said.

Without any control over what's being logged, companies can spend a great deal of time and
effort searching through log data during an incident investigation or when trying to troubleshoot
an IT problem, he said. Inconsistent logging formats and relying on homegrown scripts for analysing
and managing logs contribute to the difficulty.

Not having control over what's logged, stored and who has access to it can also create problems
for a company that does business internationally because retention and privacy laws differ from one
country to another, Leek said. For example, in France, log data containing personally identifiable
information can be retained for a maximum six months while Russia requires some log data be kept
for five years.

Deploying a log management system can streamline compliance and reduce the amount of resources
needed to respond to numerous IT, security
and audit requests for log data, Leek said. It provides the segregation of duties needed for
various compliance purposes and also can guarantee chain of custody for forensics investigations.
In addition to manpower savings, a centralised system reduces hardware and support costs.

Solid, enterprise-class tools for log management have come into the market in the past couple of
years, he said. In particular, some tools provide for centralised management without storing log
data in one place, which allows companies to comply with individual country laws.

Shackleford said a company looking to buy a log management solution should first consider their
current volume of log data: "That could make or break a technology decision because some of the
players don't have support for big-time storage."

Another consideration is the platform diversity in their environment; homegrown and legacy
applications may not fit into standard logging formats, he said. While log management vendors say
they parse any data, some make it easier than others.

Other factors to weigh when making a purchase are scalability and a vendor's viability,
Shackleford added.

Email Alerts

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

It can be tempting to stray from the security roadmap security professionals have put in place when data breaches like the Sony and Anthem breaches are all over the news. But experts say it's crucial to stick to the security basics.

The Open Data Platform has arrived, but not all Hadoop vendors are on board. The initiative, aimed at boosting interoperability, formed a backdrop for discussion at the Strata + Hadoop World 2015 conference.